Welcome back to ByteWise! Today, with the episode launching on April Fool's Day, we're diving into the world of phishing tests. It's a topic that often straddles the line between a security measure and, let's be honest, a workplace prank. We're here to discuss how these tests have evolved, moving from potentially punitive tools to a more nuanced approach. Glen kicks us off by defining phishing as a subset of social engineering, focusing on email-based manipulation. He outlines the common tactics cybercriminals use, like malicious links and fraudulent requests.
We then delve into how the approach to phishing tests has changed. Initially, they were often predictable and monthly, but now, they're more random and ad-hoc. Glen explains how fear-based approaches have been counterproductive, damaging trust between employees and the IT/security team. We share personal anecdotes, like Daniela's memorable e-card phishing test experience, to illustrate this evolution.
The conversation shifts to moving beyond punitive measures. We discuss why mandatory training videos and disciplinary actions are ineffective, and instead, we emphasize the importance of clear reporting processes and effective training. We also touch on the necessity of including everyone, even IT, in these tests. Glen suggests focusing on varied training methods, like webinars and bite-sized modules, and creating a supportive environment for reporting suspicious activities.
We emphasize the importance of clear reporting and communication, ensuring employees know how and where to report suspicious activity. The gray area of dealing with repeat offenders is explored, discussing the balance between employee development and organizational risk. We discuss the importance of having a policy for repeat offenders.
Finally, we discuss fostering a security-aware culture, moving away from fear-based approaches and building trust. We emphasize the role of the IT/security team as a resource and the importance of friendly, approachable security personnel. Daniela wraps up the episode with final thoughts and a reminder to stay vigilant, especially on April Fool's Day.
Key Takeaways:
- Phishing tests should be educational tools, not punitive measures.
- Building a security-aware culture requires trust and open communication.
- Clear reporting processes are essential for effective security.
Resources:
https://tech.co/news/study-workplace-phishing-tests-success-rate
https://www.usenix.org/system/files/usenixsecurity24-schops.pdf
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy And Charlamagne Tha God!
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.